DEVOPS-2370 Node 4.10

.github/workflows/ci.yaml

@@ -125,9 +125,9 @@ jobs:
           method: kubernetes
           path: kubernetes-ci
           secrets: |
-            kv-gitlab-ci/data/github/ingress api_token ;
-            kv-gitlab-ci/data/github/ingress user_secret ;
-            kv-gitlab-ci/data/github/ingress user_uuid ;
+            kv-gitlab-ci/data/github/ingress-audit api_token ;
+            kv-gitlab-ci/data/github/ingress-audit user_secret ;
+            kv-gitlab-ci/data/github/ingress-audit user_uuid ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ;
 
@@ -150,6 +150,9 @@ jobs:
           SKIP_CLUSTER_CREATION: true
           SKIP_IMAGE_CREATION: true
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
+          WALLARM_API_HOST: audit.api.wallarm.com # TODO: tmp
+          WALLARM_API_PRESET: audit # TODO: tmp
+          CLIENT_ID: "55146" # TODO: tmp
           USER_UUID: ${{ steps.secrets.outputs.user_uuid }}
           USER_SECRET: ${{ steps.secrets.outputs.user_secret }}
           SMOKE_REGISTRY_TOKEN: ${{ steps.secrets.outputs.token_name }}
@@ -161,6 +164,7 @@ jobs:
           ALLURE_PROJECT_ID: ${{ secrets.ALLURE_PROJECT_ID }}
           ALLURE_ENVIRONMENT_K8S: ${{ matrix.k8s }}
           ALLURE_ENVIRONMENT_ARCH: ${{ matrix.ARCH }}
+          TEST_RC: 'True'
         run: |
           make kind-smoke-test
 
@@ -187,7 +191,7 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/ingress api_token
+          secrets: kv-gitlab-ci/data/github/ingress-audit api_token
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.0.2
@@ -211,6 +215,9 @@ jobs:
           SKIP_CLUSTER_CREATION: true
           SKIP_IMAGE_CREATION: true
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
+          WALLARM_API_PRESET: audit # TODO: tmp
+          WALLARM_API_HOST: audit.api.wallarm.com # TODO: tmp
+          CLIENT_ID: "55146" # TODO: tmp
           CT_MODE: ${{ matrix.method }}
         run: |
           kind get kubeconfig > $GITHUB_WORKSPACE/kind-config-kind
@@ -277,7 +284,7 @@ jobs:
           role: ${{ secrets.VAULT_ROLE }}
           method: kubernetes
           path: kubernetes-ci
-          secrets: kv-gitlab-ci/data/github/ingress api_token
+          secrets: kv-gitlab-ci/data/github/ingress-audit api_token
 
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3.0.2
@@ -301,6 +308,9 @@ jobs:
           SKIP_E2E_IMAGE_CREATION: true
           WALLARM_ENABLED: true
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
+          WALLARM_API_HOST: audit.api.wallarm.com # TODO: tmp
+          WALLARM_API_PRESET: audit # TODO: tmp
+          CLIENT_ID: "55146" # TODO: tmp
         run: |
           kind get kubeconfig > $HOME/.kube/kind-config-kind
           make E2E_NODES=6 kind-e2e-test

.github/workflows/helm-publish.yml

@@ -47,27 +47,14 @@ jobs:
           echo "Release type: ${TYPE}"
           echo "type=${TYPE}" >> $GITHUB_OUTPUT
 
-      - name: Publish Helm charts (Prod)
-        if: steps.check_release.outputs.type == 'production'
-        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # master
-        with:
-          token: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
-          charts_dir: ./charts
-          charts_url: https://charts.wallarm.com
-          linting: off
-          repository: helm-charts
-          branch: main
-          target_dir: "wallarm-ingress"
-          index_dir: .
-          app_version: "${{ env.X_TAG }}"
-          chart_version: "${{ env.X_TAG }}"
-
-      - name: Update chart name for RC versions
+      - name: Update versions for RC
         if: steps.check_release.outputs.type == 'release-candidate'
-        run: yq -y -i '.name = "wallarm-ingress-rc"' ./charts/ingress-nginx/Chart.yaml
+        run: |
+          yq -y -i '.version += "-rc"' ./charts/ingress-nginx/Chart.yaml
+          echo "X_TAG=${X_TAG}-rc" >> $GITHUB_ENV
 
-      - name: Publish Helm charts (RC)
-        if: steps.check_release.outputs.type == 'release-candidate'
+      - name: Publish Helm charts
+        if: steps.check_release.outputs.type =~ 'production|release-candidate'
         uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # master
         with:
           token: ${{ steps.secrets.outputs.GITHUB_TOKEN }}
@@ -76,7 +63,7 @@ jobs:
           linting: off
           repository: helm-charts
           branch: main
-          target_dir: "wallarm-ingress-rc"
+          target_dir: "wallarm-ingress"
           index_dir: .
           app_version: "${{ env.X_TAG }}"
           chart_version: "${{ env.X_TAG }}"

.github/workflows/smoke-test.yaml

@@ -34,9 +34,9 @@ jobs:
           method: kubernetes
           path: kubernetes-ci
           secrets: |
-            kv-gitlab-ci/data/github/ingress api_token ;
-            kv-gitlab-ci/data/github/ingress user_secret ;
-            kv-gitlab-ci/data/github/ingress user_uuid ;
+            kv-gitlab-ci/data/github/ingress-audit api_token ;
+            kv-gitlab-ci/data/github/ingress-audit user_secret ;
+            kv-gitlab-ci/data/github/ingress-audit user_uuid ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ;
             kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ;
 
@@ -59,12 +59,16 @@ jobs:
           ALLURE_ENDPOINT: ${{ secrets.ALLURE_SERVER_URL }}
           ALLURE_PROJECT_ID: ${{ secrets.ALLURE_PROJECT_ID }}
           WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
+          WALLARM_API_HOST: audit.api.wallarm.com # TODO: tmp
+          WALLARM_API_PRESET: audit # TODO: tmp
+          CLIENT_ID: "55146" # TODO: tmp
           USER_UUID: ${{ steps.secrets.outputs.user_uuid }}
           USER_SECRET: ${{ steps.secrets.outputs.user_secret }}
           SMOKE_REGISTRY_TOKEN: ${{ steps.secrets.outputs.token_name }}
           SMOKE_REGISTRY_SECRET: ${{ steps.secrets.outputs.token_secret }}
           ALLURE_ENVIRONMENT_K8S: ${{ matrix.k8s }}
           ALLURE_ENVIRONMENT_ARCH: amd64
+          TEST_RC: 'True'
         run: |
           if [ ${{ github.event_name }} == 'workflow_dispatch' ];
           then

AIO_BASE

@@ -1 +1 @@
-4.8.0
+4.10.0-rc1

TAG

@@ -1 +1 @@
-4.8.1-1
+4.10.0-1

charts/ingress-nginx/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: wallarm-ingress
-version: 4.8.5
-appVersion: 4.8.1-1
+version: 4.10.0
+appVersion: 4.10.0-1
 home: https://github.com/wallarm/ingress
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer with Wallarm module
 icon: https://static.wallarm.com/wallarm-logo.svg

charts/ingress-nginx/templates/_helpers.tpl

@@ -320,6 +320,25 @@ Create the name of the controller service account to use
 {{ toYaml .Values.controller.wallarm.collectd.resources | indent 4 }}
 {{- end -}}
 
+{{- define "ingress-nginx.wallarmApifirewallContainer" -}}
+- name: api-firewall
+{{- if .Values.controller.wallarm.apifirewall.image }}
+  {{- with .Values.controller.wallarm.apifirewall.image }}
+  image: "{{ .repository }}:{{ .tag }}"
+  {{- end }}
+{{- else }}
+  image: "{{ .Values.controller.wallarm.helpers.image }}:{{ .Values.controller.wallarm.helpers.tag }}"
+{{- end }}
+  imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}"
+  args: ["api-firewall"]
+  volumeMounts:
+    - name: wallarm
+      mountPath: {{ include "wallarm.path" . }}
+  securityContext: {{ include "controller.containerSecurityContext" . | nindent 4 }}
+  resources:
+{{ toYaml .Values.controller.wallarm.apifirewall.resources | indent 4 }}
+{{- end -}}
+
 {{/*
 Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
 */}}

charts/ingress-nginx/templates/controller-configmap-cron.yaml

@@ -35,3 +35,13 @@ data:
     # sync-node
     {{ .schedule }} /opt/wallarm/usr/share/wallarm-common/syncnode -f -p -r 120 -l STDOUT -L DEBUG
     {{- end }}
+
+    {{- with .Values.controller.wallarm.cron.jobs.syncApiSpecs }}
+    # sync-api-specs
+    {{ .schedule }} /opt/wallarm/usr/share/wallarm-common/sync-api-specs -l STDOUT
+    {{- end }}
+
+    {{- with .Values.controller.wallarm.cron.jobs.apiFirewall }}
+    # api-firewall
+    {{ .schedule }} /opt/wallarm/usr/bin/api-firewall --log-level=DEBUG
+    {{- end }}

charts/ingress-nginx/templates/controller-daemonset.yaml

@@ -198,6 +198,7 @@ spec:
       {{- if .Values.controller.wallarm.enabled }}
         {{ include "ingress-nginx.wallarmCronContainer" . | nindent 8 }}
         {{ include "ingress-nginx.wallarmCollectdContainer" . | nindent 8 }}
+        {{ include "ingress-nginx.wallarmApifirewallContainer" . | nindent 8 }}
       {{- end }}
     {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled .Values.controller.wallarm.enabled) }}
       initContainers:

charts/ingress-nginx/templates/controller-deployment.yaml

@@ -201,6 +201,7 @@ spec:
       {{- if .Values.controller.wallarm.enabled }}
         {{ include "ingress-nginx.wallarmCronContainer" . | nindent 8 }}
         {{ include "ingress-nginx.wallarmCollectdContainer" . | nindent 8 }}
+        {{ include "ingress-nginx.wallarmApifirewallContainer" . | nindent 8 }}
       {{- end }}
     {{- if (or .Values.controller.extraInitContainers .Values.controller.extraModules .Values.controller.opentelemetry.enabled .Values.controller.wallarm.enabled) }}
       initContainers:

charts/ingress-nginx/templates/tarantool-configmap.yaml

@@ -49,4 +49,9 @@ data:
     {{- with .Values.controller.wallarm.cron.jobs.exportBlockedStat }}
     # export-blocked-stats
     {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/export-blocked-stats -l STDOUT -L DEBUG
-    {{- end }}
+    {{- end }}
+
+    {{- with .Values.controller.wallarm.cron.jobs.detectCredStuffing }}
+    # detect-cred-stuffing
+    {{ .schedule }} timeout {{ .timeout }} /opt/wallarm/usr/share/wallarm-common/detect-cred-stuffing -l STDOUT
+    {{- end }}

charts/ingress-nginx/values.yaml

@@ -27,7 +27,7 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "4.8.1-1"
+    tag: "4.10.0-1"
     pullPolicy: IfNotPresent
     # www-data -> uid 101
     runAsUser: 101
@@ -790,7 +790,7 @@ controller:
       ## The image name and tag for the helper image
       ##
       image: docker.io/wallarm/node-helpers
-      tag: 4.8.1
+      tag: 4.10.0-rc1
     tarantool:
       kind: Deployment
       service:
@@ -874,9 +874,30 @@ controller:
         exportBlockedStat:
           schedule: "* * * * *"
           timeout: 24h
+        detectCredStuffing:
+          schedule: "* * * * *"
+          timeout: 10m
+        syncApiSpecs:
+          schedule: "* * * * *"
+          timeout: 10m
+        apiFirewall:
+          schedule: "* * * * *"
+          timeout: 10m
       resources: {}
     collectd:
       resources: {}
+    apifirewall:
+      resources: {}
+      livenessProbe:
+        httpGet:
+          path: "/"
+          port: 9667
+          scheme: HTTP
+        initialDelaySeconds: 10
+        periodSeconds: 10
+        timeoutSeconds: 1
+        successThreshold: 1
+        failureThreshold: 5
 
 # -- Rollback limit
 ##

rootfs/etc/nginx/template/nginx.tmpl

@@ -1288,6 +1288,21 @@ stream {
         {{ end }}
         {{ end }}
 
+        {{ if $all.Cfg.EnableWallarm }}
+        # api firewall
+        location ~ ^/wallarm-apifw(.*)$ {
+            wallarm_mode off;
+            proxy_pass http://api-firewall:8088$1;
+            error_page 404 431         = @wallarm-apifw-fallback;
+            error_page 500 502 503 504 = @wallarm-apifw-fallback;
+        }
+
+        location @wallarm-apifw-fallback {
+            wallarm_mode off;
+            return 500 "API FW fallback";
+        }
+        {{ end }}
+
         location {{ $path }} {
             {{ $ing := (getIngressInformation $location.Ingress $server.Hostname $location.IngressPath) }}
             set $namespace      {{ $ing.Namespace | quote}};

test/smoke/run-smoke-suite.sh

@@ -132,6 +132,7 @@ spec:
     - {name: ALLURE_PROJECT_ID, value: "${ALLURE_PROJECT_ID:-}"}
     - {name: ALLURE_TOKEN, value: "${ALLURE_TOKEN:-}"}
     - {name: ALLURE_RESULTS, value: "${ALLURE_RESULTS:-/tests/_out/allure_report}"}
+    - {name: TEST_RC, value: "${TEST_RC:-'True'}"}
     - name: ALLURE_LAUNCH_TAGS
       value: >
         USER:${GITHUB_ACTOR:-local},